Ben Bucksch wrote:
Even if we have generic UI (like green bar), it does not help us, if we
have nothing to back it up. We should not show "Good" unless we're sure
the site is *trustworthy* - not just verified address/identity, not on
blacklist, etc., but really a site that we can recommend.
We can't determine that.
It's not what certs are about, it's not what EV is about. It's what the
Better Business Bureau or reputation systems or word of mouth are all
about. And we don't integrate with any of those.
Determining whether someone is _actually_ trustworthy is really, really
hard. How do you know I'm trustworthy? Just because I have been so far
doesn't mean I will be in the future. I could be gaining your trust to
rip you off.
It is far easier to keep people honest by saying "I know where you live"
than to try and assess their actual honesty with no comeback if you are
wrong. So EV does the former, not the latter.
Or in other words: If EV is not bulletproof, it adds nothing, and does
not add anything.
That's the fallacy of unattainable perfection.
If we show it, and the checks were not performed
properly by the CA, and the CA disclaims liability, the users will be
mad at us or the Internet as a whole.
If the checks were not performed properly by the CA, the CA is liable.
And we and the user will be mad at them, because we can't catch the bad
guys because the CA has duff information.
Similarly, if we show "green", "good" or whatever for PayPal, and PayPal
decides to freeze their account for no good reason (as they often do),
or their account gets robbed without their fault and PayPal does nothing
(as they always do), the user will understandably be *extremely* mad,
and we'll get part of the blame for showing "good", and the Internet as
a whole will be blamed. The fact that VeriSign verified the street
address of PayPal changes actually nothing.
This is why Beltzner keeps insisting that whatever UI we show, we can't
associate it with "trustworthy". We can't _do_ "trustworthy" as an
indicator.
So, unless we change the scope of CAs a lot, all that EV can give us, in
the way it's currently designed, is a verification of identity and
address, and all we can do is show that. That's actually what I'd like
to do, if we can make the displayed name meaningful and phishing-safe.
We seem to be in violent agreement. I don't quite know why you continue
to argue this as if someone disagrees with you :-)
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
